Fixed improper handling of pkcs8 in gateway (#1126)

* Fixed improper handling of pkcs8 in gateway * Fixes for review * Bumped gateway version
Soluto · Mar 21, 2019 · 12ec5a3 · 12ec5a3
1 parent 76742f6
commit 12ec5a3
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 32 deletions.
diff --git a/services/gateway/security/authRouter.go b/services/gateway/security/authRouter.go
@@ -7,13 +7,14 @@ import (
 	"net/url"
 	"time"
 
+	"tweek-gateway/appConfig"
+	"tweek-gateway/externalApps"
+	"tweek-gateway/utils"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/negroni"
-	"tweek-gateway/appConfig"
-	"tweek-gateway/externalApps"
-	"tweek-gateway/utils"
 )
 
 // MountAuth -
@@ -37,6 +38,10 @@ func getAuthProviders(providers map[string]appConfig.AuthProvider) negroni.Handl
 }
 
 func authorizeByUserPassword(keyEnv *appConfig.EnvInlineOrPath, basicAuthConfig *appConfig.BasicAuth) negroni.HandlerFunc {
+	key, err := getPrivateKey(keyEnv)
+	if err != nil {
+		logrus.WithError(err).Panic("Private key retrieving failed")
+	}
 	return func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 		if username, password, ok := r.BasicAuth(); ok {
 			err := externalApps.ValidateCredentials(username, password)
@@ -46,10 +51,6 @@ func authorizeByUserPassword(keyEnv *appConfig.EnvInlineOrPath, basicAuthConfig
 				return
 			}
 
-			key, err := getPrivateKey(keyEnv)
-			if err != nil {
-				logrus.WithError(err).Panic("Private key retrieving failed")
-			}
 			requestQuery := r.URL.Query()
 			redirectURLStr := requestQuery.Get("redirect_url")
 			redirectURL, errURL := url.Parse(redirectURLStr)

diff --git a/services/gateway/security/authentication.go b/services/gateway/security/authentication.go
@@ -2,9 +2,7 @@ package security
 
 import (
 	"context"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
+	"crypto/rsa"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -57,8 +55,15 @@ func (u *userInfo) Name() string               { return u.name }
 func (u *userInfo) Issuer() string             { return u.issuer }
 func (u *userInfo) Claims() jwt.StandardClaims { return u.StandardClaims }
 
+var tweekPrivateKey *rsa.PrivateKey
+
 // AuthenticationMiddleware enriches the request's context with the user info from JWT
 func AuthenticationMiddleware(configuration *appConfig.Security, extractor SubjectExtractor, auditor audit.Auditor) negroni.HandlerFunc {
+	var err error
+	tweekPrivateKey, err = getPrivateKey(&configuration.TweekSecretKey)
+	if err != nil {
+		logrus.Panicln("Error reading tweek private key", err)
+	}
 	var jwksEndpoints []string
 	for _, issuer := range configuration.Auth.Providers {
 		jwksEndpoints = append(jwksEndpoints, issuer.JWKSURL)
@@ -85,7 +90,7 @@ func userInfoFromRequest(req *http.Request, configuration *appConfig.Security, e
 		claims := t.Claims.(jwt.MapClaims)
 		if issuer, ok := claims["iss"].(string); ok {
 			if issuer == "tweek" || issuer == "tweek-basic-auth" {
-				return getGitKey(&configuration.TweekSecretKey)
+				return tweekPrivateKey, nil
 			}
 
 			if keyID, ok := t.Header["kid"].(string); ok {
@@ -192,20 +197,3 @@ func getProviderByIssuer(issuer string, providers map[string]appConfig.AuthProvi
 	}
 	return nil, false
 }
-
-func getGitKey(keyEnv *appConfig.EnvInlineOrPath) (interface{}, error) {
-	pemFile, err := appConfig.HandleEnvInlineOrPath(keyEnv)
-	if err != nil {
-		return nil, err
-	}
-	pemBlock, _ := pem.Decode(pemFile)
-	if pemBlock == nil {
-		return nil, errors.New("no PEM found")
-	}
-	key, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
-	if err != nil {
-		return nil, err
-	}
-	rsaPublicKey := key.Public()
-	return rsaPublicKey, nil
-}
diff --git a/services/gateway/security/jwtUtils.go b/services/gateway/security/jwtUtils.go
@@ -1,14 +1,17 @@
 package security
 
 import (
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"sync"
 	"time"
 
+	"tweek-gateway/appConfig"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/sirupsen/logrus"
-	"tweek-gateway/appConfig"
 )
 
 type TweekClaims struct {
@@ -87,19 +90,28 @@ func setExpirationTimer(token *JWTTokenData, key interface{}) {
 	}
 }
 
-func getPrivateKey(keyEnv *appConfig.EnvInlineOrPath) (interface{}, error) {
+func getPrivateKey(keyEnv *appConfig.EnvInlineOrPath) (*rsa.PrivateKey, error) {
 	pemFile, err := appConfig.HandleEnvInlineOrPath(keyEnv)
 	if err != nil {
 		return nil, err
 	}
 
 	block, _ := pem.Decode(pemFile)
+	if block == nil {
+		return nil, errors.New("no PEM found")
+	}
 	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 	if err != nil {
 		key, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, err
 		}
 	}
-	return key, nil
+
+	rsaKey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return nil, errors.New("key block is not of type RSA")
+	}
+
+	return rsaKey, nil
 }
diff --git a/services/gateway/version.go b/services/gateway/version.go
@@ -1,4 +1,4 @@
 package main
 
 // Version is the version of gateway
-const Version = "1.0.0-rc8"
+const Version = "1.0.0-rc9"